Merge pull request #89 from EMCECS/feature-bucket-policy-enhancement

Add Support for Principals other than "*" in Bucket Policy
EMCECS · May 26, 2022 · 749db85 · 749db85
2 parents fcdce24 + a6baaa3
commit 749db85
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 8 deletions.
diff --git a/src/main/java/com/emc/object/s3/bean/BucketPolicyStatement.java b/src/main/java/com/emc/object/s3/bean/BucketPolicyStatement.java
@@ -26,13 +26,17 @@
  */
 package com.emc.object.s3.bean;
 
-import javax.xml.bind.annotation.XmlElement;
-import javax.xml.bind.annotation.XmlElementWrapper;
-import javax.xml.bind.annotation.XmlEnum;
-import javax.xml.bind.annotation.XmlType;
+import com.fasterxml.jackson.annotation.JsonRawValue;
+import com.fasterxml.jackson.core.JsonParser;
+import com.fasterxml.jackson.databind.DeserializationContext;
+import com.fasterxml.jackson.databind.JsonDeserializer;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+
+import javax.xml.bind.annotation.*;
+import java.io.IOException;
 import java.util.*;
 
-@XmlType(propOrder = {"sid", "effect", "principal", "actions", "resource", "conditions"})
+@XmlType(propOrder = {"sid", "effect", "rawPrincipal", "actions", "resource", "conditions"})
 public class BucketPolicyStatement {
     private String sid;
     private Effect effect;
@@ -57,10 +61,23 @@ public void setSid(String sid) {
 
     public void setEffect(Effect effect) { this.effect = effect; }
 
+    @XmlTransient
+    public String getPrincipal() {
+        if ("\"*\"".equals(principal)) return "*"; // backward-compatible for "*"
+        return principal;
+    }
+
     @XmlElement(name = "Principal")
-    public String getPrincipal() { return principal; }
+    @JsonRawValue()
+    @JsonDeserialize(using = RawDeserializer.class)
+    public String getRawPrincipal() { return principal; }
+
+    public void setPrincipal(String principal) {
+        if ("*".equals(principal)) this.principal = "\"*\""; // backward-compatible for "*"
+        else this.principal = principal;
+    }
 
-    public void setPrincipal(String principal) { this.principal= principal; }
+    public void setRawPrincipal(String principal) { this.principal = principal; }
 
     @XmlElement(name = "Action")
     public List<BucketPolicyAction> getActions() {
@@ -159,4 +176,11 @@ public int hashCode() {
     public enum Effect {
         Allow, Deny
     }
+
+    public static class RawDeserializer extends JsonDeserializer<String> {
+        @Override
+        public String deserialize(JsonParser p, DeserializationContext ctxt) throws IOException {
+            return p.getCodec().readTree(p).toString();
+        }
+    }
 }
diff --git a/src/test/java/com/emc/object/s3/bean/BucketPolicyTest.java b/src/test/java/com/emc/object/s3/bean/BucketPolicyTest.java
@@ -62,6 +62,13 @@ public class BucketPolicyTest {
             "        \"aws:SourceIp\" : [ \"54.240.143.128/30\", \"2001:DB8:1234:5678:ABCD::/80\" ]" + System.lineSeparator() +
             "      }" + System.lineSeparator() +
             "    }" + System.lineSeparator() +
+            "  }, {" + System.lineSeparator() +
+            "    \"Sid\" : \"PrincipalArn\"," + System.lineSeparator() +
+            "    \"Effect\" : \"Allow\"," + System.lineSeparator() +
+            "    \"Principal\" : {\"AWS\":[\"arn:ecs:iam::ns:user/my-user\",\"arn:ecs:iam::ns:user/other-user\"]}," + System.lineSeparator() +
+            "    \"Action\" : [ \"s3:*\" ]," + System.lineSeparator() +
+            "    \"Resource\" : \"arn:aws:s3:::examplebucket/*\"," + System.lineSeparator() +
+            "    \"Condition\" : { }" + System.lineSeparator() +
             "  } ]" + System.lineSeparator() +
             "}";
 
@@ -74,7 +81,12 @@ public class BucketPolicyTest {
                     .withCondition(PolicyConditionOperator.IpAddress, new PolicyConditionCriteria()
                             .withCondition(PolicyConditionKey.SourceIp, "54.240.143.0/24", "2001:DB8:1234:5678::/64"))
                     .withCondition(PolicyConditionOperator.NotIpAddress, new PolicyConditionCriteria()
-                            .withCondition(PolicyConditionKey.SourceIp, "54.240.143.128/30", "2001:DB8:1234:5678:ABCD::/80"))
+                            .withCondition(PolicyConditionKey.SourceIp, "54.240.143.128/30", "2001:DB8:1234:5678:ABCD::/80")),
+            new BucketPolicyStatement().withSid("PrincipalArn")
+                    .withEffect(BucketPolicyStatement.Effect.Allow)
+                    .withPrincipal("{\"AWS\":[\"arn:ecs:iam::ns:user/my-user\",\"arn:ecs:iam::ns:user/other-user\"]}")
+                    .withActions(BucketPolicyAction.All)
+                    .withResource("arn:aws:s3:::examplebucket/*")
     );
 
     @Test